I think signed email could provide a way forward. But i think paid-for certificates are the wrong way to go, just as i think they were the wrong way to go with http (it annoys me that i have to pay someone to sign a certificate so that people dont get warnings in their browser - who cares who signed the certificate, if the session is encrypted, it's encrypted. Anyone can get a signed certificate with fake details on it, so you're not even certifying the owner of the cert!)
I think a free and open way to do this would be better. Domainkeys look promising. Sending server signs email. Receiving server checks sending server really did send it. So far so good. But what is it actually acheiving - you can validate that the email is sent by the real sender - but whats to stop spammers setting up domains and signing emails? You still need to check if that domain / account is used for spam - so bring in the dns blacklists sponsored by the people who benefit the most financially from ridding the planet of spam - major providers. But, if you are doing the checking on the mail servers, why not verify the relaying servers address, not the email's domain. This eliminates the pain-in-the-ass for people like me who send email through several different servers / mail clients. I cant quite figure how it would work in these situations. So, mail.blah.com receives a mail from an authenticated user. mail.blah.com signs it, and sends it to mail.foo.com. Mail.foo.com sees a header saying "signed by mail.blah.com". It can now check using the signature/dns looked-up key and be sure the mail came from mail.blah.com. It can check out mail.blah.com in the blocklists. If the server isnt listed, then it's come from a 'good' mail server. If it is listed, then it's come from a bad mail server. All you need now is to be able to automatically rate servers - or maybe email address/server combination. I think the problem with anti-spam today is the people who are tackling it. People at yahoo are not going to come up with a system that relies on them stopping people using their mail servers to send spam. Similarly people working for certification authorities arnt going to come up with a solution that doesnt require a paid for certificate! It's about time some organisation got the backing of some big name, and produce a decent solution, and then using their might, forced the whole net to use it. Daniel. > -----Original Message----- > From: Noel J. Bergman [mailto:[EMAIL PROTECTED] > Sent: 31 July 2005 19:30 > To: James-General Mailing List > Subject: Signed e-mail as an anti-SPAM measure > > > At ApacheCon EU 2005, I had a chance to speak with folks from Thawte and > from CAcert regarding the use of signed e-mail, using existing RFCs, as a > tool to fight SPAM. A senior engineering manager from Thawte and a CACert > rep have subscribed to this list for purposes of furthering these > discussions. This e-mail is just to bring the subject to the > list, and open > the topic for discussion. > > Signed e-mail can be an effective tool to address SPAM. Signed e-mail can > be validated to know that there is a trusted identity responsible for the > e-mail. It addresses the needs of mobile workers and improves the ability > to use SMTP relays, reducing the need to police e-mail by IP address. We > can validate the authenticity of signed e-mail early, reject e-mail that > fails authentication, and reduce the amount of SPAM congesting > the Internet. > Where there is a need for anonymity, "anonymizers" can sign > e-mail on behalf > of their clients (as we do with our server-side signing), where the > anonymizer's reputation and ability to block SPAM will effect whether the > e-mail will be accepted downstream. > > Thus far our efforts, and later efforts by Yahoo!, have focused on the > platform we can control: the mail server. We added server-side message > signing using standard S/MIME, and subsequently Yahoo! published their > DomainKeys (http://antispam.yahoo.com/domainkeys) specification, > but in both > cases the necessary ubiquity is lacking. There was a feeling at ApacheCon > that by working up with CAs, we can help to promote much broader > penetration > of signed e-mail because of their established ties with major MUA authors. > > Regardless of whether e-mail is signed by the MUA or MTA, a > necessary piece > to the puzzle is a mechanism to validate the mail signing certificate. > Yahoo! has a DNS-based approach, and at ApacheCon we discussed > DNS, OCSP and > LDAP. There appears to be a consensus that LDAP is the best way > to go, but > the topic is still open. > > So there you go. This is just a note to kick off the discussion. > Hopefully, it says enough to get people involved, and is vague enough to > allow people to bring their own ideas to the table. > > --- Noel > >
